The argument can certainly be made that the United States Health Care sector is perhaps the most crucial industry within the U.S. economy whose direct impacts can be felt across all economic facets. With an overall estimated sector value of $4.68 trillion dollars and a ten year growth rate of 107.18% it’s no wonder that what impacts the industry can impact everyone across the board. This can be equated to the unique nature in which health care and medicine is at its core a basic personal necessity that everyone requires throughout their life whether it be routine physical check-ups to extensive procedures to save an individual’s life. Through the process of personal data gathering and analysis on patients, decisions can be made on treatments to administer and procedures to recommend. Such valuable data lends itself to being a prime candidate to become a target of cybercrime and cybercriminals.
Over the past couple of weeks the focus of cybersecurity professionals around the world has been on the WannaCry ransomware attack that became a global malware scare . The infection spread was reminiscent to the Slammer and Conficker outbreaks of years past but at a much faster velocity if based entirely on the number of attempted connections to the formerly non-existent domains within the malware code. This event has thrusted the concept of ransomware directly into the public awareness much like previous virus and worm outbreaks of years past due to its vast reach across multiple continents and economic sectors sending many businesses to establish emergency command centers to apply the necessary fixes to prevent becoming victims. No where more was this scramble to protect assets from infection more apparent than in healthcare organizations.
This has led to horror stories such as Hollywood Presbyterian Medical Center paying out the equivalent of $17,000 USD in ransom after their infrastructure was compromised by ransomware or Kansas Heart Hospital which paid as well but was extorted for further payments after it was discovered that not all files were decrypted as promised. Keep in mind that these two incidents are what is known publicly about incidents in the healthcare sector. IBM security estimates that ransomware style attack increased an amazing 6,000% in 2016 versus the previous year and 70% paid ransoms at least $10,000 USD. Most victims don’t want to acknowledge that their businesses have become victims to such attacks for fear of negative publicity.
What makes healthcare providers and organizations such prime targets for cybercrime and criminals? Much has to do with the overall glacial pace at which healthcare organizations adapt and secure technology. It’s certainly perplexing looking in from the outside that an industry relies on procuring and analyzing data in order to provide informed diagnoses and treatment has failed to adapt to the changes in technology along with formation security posture. Yet the industry is sometimes held hostage by vendors who refuse to let their devices be modified to patch for security vulnerabilities thus the need for insecure operating systems and software to exist within the IT infrastructure of a healthcare provider. This makes ransomware like WannaCry particularly scary for hospitals and medical offices since WannaCry leveraged CVE-2017-0144 and CVE-2017-0145 vulnerabilities in SMBv1 and applying the patch to Windows operating systems could break device and software compatibility.
So how do healthcare providers mitigate such risks? This is where Open Source Systems can offer assistance. We provide a range of expertise capabilities in cybersecurity and information security based on prior experience in assisting private and government sectors in securing their information domains. Our experience includes:
- Implementing and adapting the National Institute of Standards and Technology (NIST) 800-37 Risk Management Framework to meet each unique operational business model.
- Conducting business and architectural reviews for risk analysis using the Risk Maturity Model based on best practices and standards.
- Conducting Penetration Testing based on Lockheed Martin’s Cyber Kill Chain model to determine the security poster of your network IT environment.
- Providing Open Source Systems and Software alternatives to help provide greater inherent system security and flexibility in business procurements.
- Cyber Threat Analysis and Intelligence drawing from years of experience providing the Department of Defense and Services actionable intelligence in protecting critical US government IT assets.
- Providing full ISO-15288 life cycle systems engineering services with security in mind from start to finish.